Privacy Statement Helmholtz Research Software Directory, version 1.0, 14.02.2023

1) What is this privacy statement for?

This privacy statement applies to the online Research Software Directory (the "RSD") as provided under the URL https://helmholtz.software. The RSD is an online service hosted and maintained by Helmholtz Centre Potsdam – GFZ German Research Centre for Geosciences, a Public Law Foundation under the laws of the Federal State of Brandenburg/Germany, Telegrafenberg, 14473 Potsdam, Germany, https://www.gfz-potsdam.de ("GFZ", or also "us", "we" and the like).

The RSD is an online content management system for research software ("Research Software"), through which organizations ("Organisations") and individual users ("Registered Users") can present their Research Software in its academic context. This improves the findability of this Research Software to visitors of the RSD ("Visitors") by linking the software to research projects ("Projects"), research outcomes ("Mentions") and research teams ("Contributors").

Organisations and individual users can get access to the RSD by registering an account (an "Account") on the RSD’s website. Organisations and Registered Users must agree to the Terms of Service, in which they agree to only use the personal data for the same purposes as those set out in this privacy statement, or purposes that are compatible with those purposes.

2) Name and address of controller

The data controller as defined in the General Data Protection Regulation, the national data protection laws of other EU member states, and other data protection regulations is:

Helmholtz Centre Potsdam – German Research Centre for Geosciences GFZ
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 0
Website: https://www.gfz-potsdam.de

3) Name and address of data protection officer

The controller’s data protection officers are:
Marko Blau and Eva Grübel-Hoffmann
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 1052
E-Mail: datenschutz@gfz-potsdam.de

4) General information on data processing

4.1 Scope of personal data processing

In general, the GFZ only processes personal data collected from users insofar as this is necessary to provide a functional website with the relevant content and services. As a rule, personal data provided by users is only processed with the respective user's consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.

4.2 Legal basis for the processing of personal data

Art. 6 no. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis when the GFZ obtains a data subject's consent to the processing of his/her personal data.

Art. 6 no. 1 lit. b GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.

Art. 6 no. 1 lit. c GDPR serves as the legal basis when the processing of personal data is necessary for compliance with a legal obligation to which the GFZ is subject.

Art. 6 no. 1 lit. f GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the GFZ or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.

4.3 Data erasure and storage period

The data subject's personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a retention period specified in any of the above-named legislation expires, unless it has to be retained for longer in order to conclude or execute a contract.

5) Whose personal data are included in the RSD?

The RSD contains personal data of:

  • persons who have contributed to the development of the Research Software as project team members or as software contributors (developers) (each a "Contributor");
  • persons who have published about the Research Software itself or about results produced using the Research Software, e.g. in papers, books, journals, blogs, video’s etc. (each also a Contributor);
  • Registered Users of the RSD, including users who are appointed as maintainers of an Organisation’s account ("Maintainers").

Visitors of the RSD can view the personal data of Contributors that is shared as part of the academic context of Research Software and projects. Visitors and Registered Users cannot view the personal data of other Registered Users, unless this personal data has intentionally been published to indicate this Registered User is also a Contributor.

6) What purposes are the personal data in the RSD used for?

The personal data of Contributors are used in the RSD to:

• Show Visitors which Contributors contributed to the relevant Research Software and Projects;
• Show Visitors relevant publications about the Research Software and to show the Contributor’s of such publications;
• Direct Visitors to more information about a Contributor, i.e., through an ORCID-ID;
• Allow Registered Users to add Contributors to the relevant Research Software and/or Project entry;

Please find more information about which personal data are shown in the RSD, below in the description of the data sources from which we obtain your personal data (‘From which sources do we obtain your personal data?’).

We process these personal data on the basis of our legitimate interest, and that of our Registered Users, to be able to provide meaningful information about the Research Software as well as that of the Contributors themselves, to allow them to be named as contributors.

The personal data of Registered Users are used by us to:

  • Allow Registered Users to create, use and manage their Account;
  • Verify their authorization to create and use an Account;
  • Verify their access to the Account and, where required, to take appropriate actions, e.g. block the Account in case of unauthorized access;
  • Allow us to create and manage Accounts of Organisation Maintainers;
  • Keep an administration with respect to the Registered Users;
  • Enforce the Terms of Service;

We process these personal data on the basis of our legitimate interest, and that of our Registered Users and the Organisations, to allow the Registered Users to access the RSD, as well as our legitimate interest to secure, manage and administrate the RSD including the Accounts. We also process the personal data to be able to perform the agreement with the relevant Registered User.

7) How do we use personal data of visitors of the RSD’s website?

7.1 Scope of personal data processing

The GFZ uses the open source software tool Matomo (formerly PIWIK) to analyse the browsing behaviour of its website users. The software stores a cookie on the user’s computer (see above for information about cookies). The following data is stored whenever individual pages on the website are accessed:

  1. Two bytes of the IP address of the user's accessing system
  2. The web page accessed
  3. The website from which the user reached the web page accessed (referrer)
  4. The sub pages retrieved from the main web page
  5. The time spent on the web page
  6. The frequency with which the web page is accessed

The software runs solely on the website servers. This is the only place where the user's personal data is stored. This data is not forwarded to any third party.

The software is configured in such a way as to prevent IP addresses from being stored in full; instead, 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). This ensures that the truncated IP address can no longer be identified with the accessing computer. “Do not track” is also taken into account if the browser sends this.

7.2 Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is Art. 6 no. 1 lit. f GDPR.

7.3 Purpose of data processing

Processing personal data enables us to analyse the browsing behaviour of our users. Evaluations of the data collected allow the GFZ to compile information about the use of individual components on the website. This helps us to continue improving our website and make it more user-friendly. These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR. The user’s interest in the protection of his/her personal data is duly taken into account by anonymising the IP address.

7.4 Storage period

The data is erased as soon as we no longer need it for recording purposes.

7.5 Right to object and right to erasure

Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for the GFZ website, it may no longer be possible to use all the website’s functions in full.

Detailed information about Matomo's privacy settings is available at the following link: https://matomo.org/docs/privacy.

8) From which sources do we obtain your personal data?

8.1 Contributors’ personal data

We obtain Contributors’ personal data from the following sources:

  • ORCID is a non-profit organization that seeks to support open access to information for the research community. If you have created an ORCID account and if you are a Contributor with respect to specific Research Software included in the RSD, we import personal data from your ORCID profile (name, ORDIC ID, organization you work for) which you have qualified in ORCID as public data. Registered Users can add that data to the Research Software’s entry in the RSD to list someone as a Contributor. Your ORCID ID is included in the RSD so that Visitors can easily find your ORCID profile. Please find ORCID’s privacy policy here.
  • Crossref is a not-for-profit membership organization that exists to make scholarly communications better and makes research objects easy to find, cite, link, assess, and reuse. Crossref members can add metadata with respect to their publications to the Crossref database. To add Mentions to Research Software and Projects, Registered Users can import metadata from Crossref, specifically the publication title, date, venue, and the names and affiliations of Contributors. Please find Crossref’s privacy policy here.
  • DataCite is a global non-profit organization that provides persistent digital object identifiers (DOIs) for research data and other research outputs. DataCite members can add DOIs and metadata with respect to their publications to the DataCite database. The database is made publicly available. To add Mentions to Research Software and Projects, Registered Users can import metadata from Datacite, specifically the publication title, date, venue, and the names and affiliations of Contributors. Please find DataCite’s privacy policy here.
  • Zenodo is a repository that helps researchers receive credit by making the research results citable via a DOI. The Zenodo database is made publicly available. Through OpenAIRE, these results are integrated into existing reporting lines of funding agencies like the European Commission. When adding Research Software, Registered Users may add the DOI of the Software Releases the have archived in Zenodo. Using this DOI, Registered Users can then import metadata about the software from Zenodo, such as the list of Contributors (including their name and, -if available-, ORCID), Software License, and Keywords. In addition, the RSD will automatically create an up-to-date list of software releases, and present those to Visitors, including proper citation information. Please find the Zenodo privacy policy here.
  • Github is an online software development platform which provides version control, continuous integration, issues, etc. When adding Research Software, Registered Users may add the GitHub repository URL to the Research Software Entry. Besides showing this URL to visitors, the RSD will also use it to retrieve public information about the software development from GitHub, including the programming languages used, the licence, and the development activity (such as commits.) Although publicly displayed user names of developers will be imported through this GitHub feed, only aggregated data on development activity will be shown to Visitors. Please find the Github privacy policy here.
  • GitLab in an online software development platform which provides version control, continuous integration, issues, etc. When adding Research Software, Registered Users may add the GitLab repository URL to the Research Software Entry. Besides showing this URL to visitors, the RSD will also use it to retrieve public information about the software development from GitLab, including the programming languages used, the licence, and the development activity (such as commits). Although publicly displayed user names of developers will be imported through this GitLab feed, only aggregated data on development activity will be shown to Visitors. Please find the GitLab privacy policy here.

8.2 Registered Users personal data

We obtain Registered Users’ personal data from the Registered Users themselves or their Identity Provider (Helmholtz AAI, ORCID). When a User uses an Identity Provider to log into the RSD, we will receive the necessary data from that service, namely your name, email address, affiliation, and a unique Identity Provider ID.

9) With whom are your personal data shared?

The Contributors’ personal data are shared with Visitors of the RSD, including other Registered Users and Maintainers of Organisations. We are hosting this service on servers at GFZ, located in Germany. We may be obliged by law to share certain personal data, e.g. with a government authority or with a third party on the basis of a court order.

10) Where are your personal data stored?

The personal data in the RSD are stored in the European Economic Area / EEA (Germany). If a user accesses the RSD from outside the EEA, in as far as this is regarded as a transfer of personal data to outside the EER, the user agrees to be bound by the Standard Contractual Clauses for transfers to outside the EER.

11) How long are your personal data stored?

11.1 Contributors’ personal data

Contributors’ personal data are stored in the RSD for the duration that the Research Software or project entry exists. This entry is included in the RSD as long as the Research Software is relevant for the RSD, this depends on the Research Software itself and its relevance for the development / research community. If the entry is removed from the RSD, the personal data in the entry is also removed.

11.2 Registered Users’ personal data

Registered Users’ personal data are stored for the duration of the Registered Users’ Account and a period of one year after the Account is closed. The agreement with you is archived in the sense that we log your acceptance of these Terms of Service and the registration of your Account. After a period of two years of inactivity in the Account, we will send the Registered User a notification, asking them whether they wish to keep their Account or to delete it. Personal data that are stored in our financial administration are stored for a period of seven years from the relevant fiscal year.

11.3 If you contact us

If you contact us (see 14) via our Support e-mail address (support@hifis.net), personal data will be deleted at latest after 36 months, or upon your request. If you contact us via GitHub, e.g. by posting an issue, this data will not be deleted unless upon your request.

12) What rights to do you have with respect to your personal data?

Pursuant to the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data:

  • the right to request access to your personal data;
  • the right to receive information about the processing of your personal data;
  • the right to have incorrect personal data rectified;
  • under certain conditions to have your personal data erased;
  • under certain conditions to have the processing of your personal data restricted;
  • under certain conditions to object to the processing of your personal data – however when we use your personal data for direct marketing purposes, you can object to this unconditionally;
  • if you have given consent for the processing of your personal data, to withdraw that consent (this applies to future use of your personal data);
  • the right to receive your personal data in a structured, commonly used and machine readable format, where it concerns personal data (i) you have submitted to us and (ii) we process based on your consent or required for the performance of our contract with you and (iii) that is processed by automated means; in that case you may also ask us to transfer your personal data to another processor, where technically feasible;
  • the right to lodge a complaint with the supervisory authority.

If you want to exercise your rights, please send a request with respect to your personal data, detailing your request and using the contact details under ‘Contacting Us’ below. We may ask you to provide additional information in order for us to verify that your request relates to your personal data.
Please note that we may be entitled under applicable laws to refuse certain requests.

13) Obligation to provide data

To view the publicly available information of the RSD, provisioning of private data is not requried.

14) Contacting Us

If there are any questions regarding this Privacy Statement or about your personal data, you may contact us using the information below.

If you have any questions or complaints, or another reason to contact us, you may contact us either via GitHub Issues or by sending us an e-mail to support@hifis.net. Please be aware that if you want to contact us via GitHub, the terms and privacy policies of GitHub, Inc. apply.

GFZ is the data controller as defined in the General Data Protection Regulation, the national data protection laws of other EU member states, and other data protection regulations. The controller’s data protection officer can be reached: datenschutz@gfz-potsdam.de; phone: +49 331 288 1052.

15) Existence of automated decision making

As a responsible institute, we do not use automatic decision making.

16) Can this Privacy Statement be altered?

Yes, we reserve the right to alter this Privacy Statement. You will be notified of material changes, e.g. through a notice on the website.